From: Andi Kleen <andi@firstfloor.org>
To: Theodore Tso <tytso@mit.edu>, Andi Kleen <andi@firstfloor.org>,
Arjan van de Ven <arjan@infradead.org>,
Chris Peterson <cpeterso@cpeterso.com>,
Herbert Xu <herbert@gondor.apana.org.au
Subject: Re: [PATCH] Re: [PATCH] drivers/net: remove network drivers' last few uses of IRQF_SAMPLE_RANDOM
Date: Sun, 18 May 2008 19:53:58 +0200 [thread overview]
Message-ID: <48306D36.6040706@firstfloor.org> (raw)
In-Reply-To: <20080518112657.GK16496@mit.edu>
> See why the qualifying statements is so important? If you really
> believe that there isn't enough entropy after installing a
> distribution, THEN YOU SHOULDN'T BE GENERATING SSH HOST KEYS. The
> problem is that the server scenario with no keyboard case is a really
> nasty one.
It's made worse by not feeding in the network interrupts.
I never quite understood the rationale behind that one either:
if you worry about someone else controlling the timing of these events,
why do you not worry about timings on the local system. e.g.
it's not that hard to predict with similar accuracy when a hard disk
interrupt happened when a local process read something from disk. Or
when the keyboard/USB interrupt happened when you process keyboard input.
On the other hand if only the low bits of the time stamp counter
are used it should be still random enough in all cases because
real systems don't behave predictable down to ns levels.
>
>> See also the distinction between "user controlled visible cryptography"
>> and "background cryptography" I introduced in a earlier mail on that
>> topic. gpg can only get away with it because they rely on a high level
>> of user education (so requiring banging on keys is ok), but that's
>> not really an option for your normal "everyday background crypto",
>> including longer term keys.
>
> No, this distinction is a specious one, I think. It's really more a
> level of paranoia.
If people don't realize cryptography is used they can't really
have any paranoia. And you can only get away with paranoia requiring
significant user action (like banging on keys) if they realize that.
> People tend to be much more paranoid about their
> own personal keys,
In this case I would say it's more the program authors because the users
don't really have any choice.
> That says
> something about how much they care about security right there.
It's more a question on how practical security is. If security
gets too complicated nobody will use it.
[classical example of that is to force users to use unrememberable
"strong" passwords -- result is that they are just written down on
postit notes and pinned to monitors. Same effect here]
>> Instead I think just both urandom and random should try to rely
>> on TPMs and other hardware rngs and always get high quality bit noise.
>
> Sure, if you can get access to a TPM or a hardware rng, that's
> *always* a better choice.
Yes definitely, but the trouble is /dev/random does not use it by
default. So even if you have a working hardware RNG there's no
improvement on what comes out of /dev/u?random
But the reason for /dev/random and
> /dev/urandom's existence is that hardware manufacturers have either
> not included a real hardware RNG, or made it impossible to get to it.
> (I *still* haven't figured out how to access my TPM on my Lenovo
> laptops. Anyone who can send me turn-key instructions, let me know
> off-line.) Intel used to provide a true hardware RNG in their
> chipsets a few years ago (props to them), but then stopped after one
> generation (boo, hiss).
Yes, but we don't use it either by default. So even if you have
such a chipset your /dev/random output isn't improved in any ways.
> If there is a way that we can at least seed /dev/random from the TPM
> (without needing any magic enabling keys, etc.) once at boot time, and
> then rely on what we can get from the environment, maybe we can do it
> in the kernel without needing to move all of the TPM access/contention
> control logic from userspace into the kernel.
Jeff's patch looked like a good start. I'll try to come up with
a complete patch series that auto feeds. The only system I have with a
TPM is a T61, let's see if trousers works on that.
There's also a couple of other problems here I believe, in particular
some of the kernel subsystems who get random numbers for their purpose
get it too early before there's any chance of seeing.
Also for a lot of kernel purposes (like the networking hash tables) it's
really wasteful to use the precious entropy pool entropy. It should
rather just seed some cryptographic PRNG once and then use output
from that for kernel purposes (or alternatively at least not
remove entropy credit from the random pool)
-Andi
next prev parent reply other threads:[~2008-05-18 17:54 UTC|newest]
Thread overview: 91+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-05-15 7:11 [PATCH] drivers/net: remove network drivers' last few uses of IRQF_SAMPLE_RANDOM Chris Peterson
2008-05-15 13:21 ` Alan Cox
2008-05-15 16:07 ` Brandeburg, Jesse
2008-05-15 16:39 ` Alan Cox
2008-05-15 18:14 ` Jeff Garzik
2008-05-15 18:47 ` Kok, Auke
2008-05-15 19:10 ` Jeff Garzik
2008-05-15 18:50 ` Rick Jones
2008-05-15 19:11 ` Jeff Garzik
2008-05-15 19:55 ` [PATCH] " Jeff Garzik
2008-05-16 0:27 ` Andi Kleen
2008-05-16 9:56 ` Alan Cox
2008-05-16 10:19 ` Andi Kleen
2008-05-16 12:12 ` Herbert Xu
2008-05-16 16:25 ` Andi Kleen
2008-05-17 1:01 ` Herbert Xu
2008-05-17 10:59 ` Andi Kleen
2008-05-17 19:54 ` Chris Peterson
2008-05-17 20:05 ` Arjan van de Ven
2008-05-18 10:13 ` Andi Kleen
2008-05-18 11:26 ` Theodore Tso
2008-05-18 12:57 ` Joe Korty
2008-05-18 17:53 ` Andi Kleen [this message]
2008-05-25 15:26 ` Glen Turner
2008-05-19 12:29 ` Benny Amorsen
2008-05-18 10:08 ` Andi Kleen
2008-05-22 9:28 ` Helge Hafting
2008-05-16 13:20 ` Adrian Bunk
2008-05-16 16:20 ` Andi Kleen
2008-05-16 19:47 ` David Miller
2008-05-16 23:28 ` Rick Jones
2008-05-15 18:04 ` Jeff Garzik
2008-05-15 18:17 ` Rick Jones
2008-05-15 18:31 ` Jeff Garzik
2008-05-15 18:47 ` Kok, Auke
2008-05-15 19:21 ` Jeff Garzik
2008-05-15 20:01 ` Chris Peterson
2008-05-15 20:16 ` Jeff Garzik
2008-05-15 20:39 ` Kok, Auke
2008-05-15 21:47 ` Theodore Tso
2008-05-15 21:58 ` Jeff Garzik
2008-05-15 22:29 ` Henrique de Moraes Holschuh
2008-05-15 22:44 ` Jeff Garzik
2008-05-15 23:02 ` Henrique de Moraes Holschuh
2008-05-15 23:36 ` Theodore Tso
2008-05-15 23:46 ` Henrique de Moraes Holschuh
2008-05-15 23:33 ` Theodore Tso
2008-05-15 23:58 ` Henrique de Moraes Holschuh
2008-05-16 13:21 ` Lennart Sorensen
2008-05-16 13:40 ` Jeff Garzik
2008-05-16 13:59 ` Will Newton
2008-05-16 14:15 ` Lennart Sorensen
2008-05-16 14:27 ` Jeff Garzik
2008-05-16 15:10 ` Alan Cox
2008-05-16 17:36 ` Lennart Sorensen
2008-05-16 18:11 ` Alan Cox
2008-05-16 18:40 ` Kok, Auke
2008-05-16 18:41 ` Lennart Sorensen
2008-05-16 18:42 ` Lennart Sorensen
2008-05-16 20:04 ` Alan Cox
2008-05-16 20:39 ` Lennart Sorensen
2008-05-16 20:46 ` Alan Cox
2008-05-16 20:34 ` Benny Amorsen
2008-05-25 15:02 ` Glen Turner
2008-05-25 19:33 ` Benny Amorsen
2008-05-17 4:55 ` Chris Peterson
2008-05-25 15:09 ` Glen Turner
2008-05-25 23:27 ` Theodore Tso
2008-05-26 13:43 ` Alejandro Riveira Fernández
2008-05-26 15:14 ` Bill Fink
2008-05-26 21:07 ` Krzysztof Halasa
2008-05-26 21:52 ` Bill Fink
2008-05-26 22:11 ` Ben Hutchings
2008-05-27 16:44 ` Rick Jones
2008-05-30 19:50 ` Pavel Machek
2008-05-25 14:55 ` Glen Turner
[not found] ` <482C8550 <20080516161029.44ded734@core>
2008-05-16 20:08 ` Gilles Espinasse
2008-05-17 22:02 ` Adrian Bunk
2008-05-18 6:41 ` [PATCH] drivers/net: remove network drivers' last few uses ofIRQF_SAMPLE_RANDOM Gilles Espinasse
2008-05-18 9:54 ` Alan Cox
2008-05-18 12:02 ` Adrian Bunk
2008-05-18 12:24 ` Theodore Tso
2008-05-18 14:43 ` Adrian Bunk
2008-05-15 21:55 ` [PATCH] drivers/net: remove network drivers' last few uses of IRQF_SAMPLE_RANDOM Adrian Bunk
2008-05-15 22:04 ` Jeff Garzik
2008-05-15 22:27 ` Theodore Tso
2008-05-15 22:13 ` Jesper Juhl
2008-05-15 22:34 ` Theodore Tso
2008-05-15 22:57 ` Jesper Juhl
2008-05-18 0:36 ` Matt Mackall
2008-05-15 22:42 ` Jeff Garzik
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=48306D36.6040706@firstfloor.org \
--to=andi@firstfloor.org \
--cc=arjan@infradead.org \
--cc=cpeterso@cpeterso.com \
--cc=herbert@gondor.apana.org.au \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).